Friendica Communications Platform (please note that this is a clone of the repository at github, issues are handled there) https://friendi.ca
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

259 lines
6.8 KiB

11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
11 years ago
  1. <?php
  2. function nuke_session() {
  3. unset($_SESSION['authenticated']);
  4. unset($_SESSION['uid']);
  5. unset($_SESSION['visitor_id']);
  6. unset($_SESSION['administrator']);
  7. unset($_SESSION['cid']);
  8. unset($_SESSION['theme']);
  9. unset($_SESSION['page_flags']);
  10. }
  11. // login/logout
  12. if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) {
  13. if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {
  14. // process logout request
  15. nuke_session();
  16. notice( t('Logged out.') . EOL);
  17. goaway($a->get_baseurl());
  18. }
  19. if(x($_SESSION,'uid')) {
  20. // already logged in user returning
  21. $check = get_config('system','paranoia');
  22. // extra paranoia - if the IP changed, log them out
  23. if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
  24. nuke_session();
  25. goaway($a->get_baseurl());
  26. }
  27. $r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
  28. intval($_SESSION['uid'])
  29. );
  30. if(! count($r)) {
  31. nuke_session();
  32. goaway($a->get_baseurl());
  33. }
  34. // initialise user environment
  35. $a->user = $r[0];
  36. $_SESSION['theme'] = $a->user['theme'];
  37. $_SESSION['page_flags'] = $a->user['page-flags'];
  38. if(strlen($a->user['timezone'])) {
  39. date_default_timezone_set($a->user['timezone']);
  40. $a->timezone = $a->user['timezone'];
  41. }
  42. $_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $a->user['nickname'];
  43. $r = q("SELECT `uid`,`username` FROM `user` WHERE `password` = '%s' AND `email` = '%s'",
  44. dbesc($a->user['password']),
  45. dbesc($a->user['email'])
  46. );
  47. if(count($r))
  48. $a->identities = $r;
  49. $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1",
  50. intval($_SESSION['uid']));
  51. if(count($r)) {
  52. $a->contact = $r[0];
  53. $a->cid = $r[0]['id'];
  54. $_SESSION['cid'] = $a->cid;
  55. }
  56. header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] .'"');
  57. }
  58. }
  59. else {
  60. if(isset($_SESSION)) {
  61. nuke_session();
  62. }
  63. if((x($_POST,'password')) && strlen($_POST['password']))
  64. $encrypted = hash('whirlpool',trim($_POST['password']));
  65. else {
  66. if((x($_POST,'openid_url')) && strlen($_POST['openid_url'])) {
  67. $noid = get_config('system','no_openid');
  68. $openid_url = trim($_POST['openid_url']);
  69. // validate_url alters the calling parameter
  70. $temp_string = $openid_url;
  71. // if it's an email address or doesn't resolve to a URL, fail.
  72. if(($noid) || (strpos($temp_string,'@')) || (! validate_url($temp_string))) {
  73. $a = get_app();
  74. notice( t('Login failed.') . EOL);
  75. goaway($a->get_baseurl());
  76. // NOTREACHED
  77. }
  78. // Otherwise it's probably an openid.
  79. require_once('library/openid.php');
  80. $openid = new LightOpenID;
  81. $openid->identity = $openid_url;
  82. $_SESSION['openid'] = $openid_url;
  83. $a = get_app();
  84. $openid->returnUrl = $a->get_baseurl() . '/openid';
  85. $r = q("SELECT `uid` FROM `user` WHERE `openid` = '%s' LIMIT 1",
  86. dbesc($openid_url)
  87. );
  88. if(count($r)) {
  89. // existing account
  90. goaway($openid->authUrl());
  91. // NOTREACHED
  92. }
  93. else {
  94. if($a->config['register_policy'] == REGISTER_CLOSED) {
  95. $a = get_app();
  96. notice( t('Login failed.') . EOL);
  97. goaway($a->get_baseurl());
  98. // NOTREACHED
  99. }
  100. // new account
  101. $_SESSION['register'] = 1;
  102. $openid->required = array('namePerson/friendly', 'contact/email', 'namePerson');
  103. $openid->optional = array('namePerson/first','media/image/aspect11','media/image/default');
  104. goaway($openid->authUrl());
  105. // NOTREACHED
  106. }
  107. }
  108. }
  109. if((x($_POST,'auth-params')) && $_POST['auth-params'] === 'login') {
  110. $record = null;
  111. $addon_auth = array(
  112. 'username' => trim($_POST['openid_url']),
  113. 'password' => trim($_POST['password']),
  114. 'authenticated' => 0,
  115. 'user_record' => null
  116. );
  117. /**
  118. *
  119. * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
  120. * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
  121. * and later plugins should not interfere with an earlier one that succeeded.
  122. *
  123. */
  124. call_hooks('authenticate', $addon_auth);
  125. if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
  126. $record = $addon_auth['user_record'];
  127. }
  128. else {
  129. // process normal login request
  130. $r = q("SELECT * FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' )
  131. AND `password` = '%s' AND `blocked` = 0 AND `verified` = 1 LIMIT 1",
  132. dbesc(trim($_POST['openid_url'])),
  133. dbesc(trim($_POST['openid_url'])),
  134. dbesc($encrypted)
  135. );
  136. if(count($r))
  137. $record = $r[0];
  138. }
  139. if((! $record) || (! count($record))) {
  140. logger('authenticate: failed login attempt: ' . trim($_POST['openid_url']));
  141. notice( t('Login failed.') . EOL );
  142. goaway($a->get_baseurl());
  143. }
  144. $_SESSION['uid'] = $record['uid'];
  145. $_SESSION['theme'] = $record['theme'];
  146. $_SESSION['authenticated'] = 1;
  147. $_SESSION['page_flags'] = $record['page-flags'];
  148. $_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $record['nickname'];
  149. $_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
  150. $a->user = $record;
  151. if($a->user['login_date'] === '0000-00-00 00:00:00') {
  152. $_SESSION['return_url'] = 'profile_photo/new';
  153. $a->module = 'profile_photo';
  154. notice( t("Welcome ") . $a->user['username'] . EOL);
  155. notice( t('Please upload a profile photo.') . EOL);
  156. }
  157. else
  158. notice( t("Welcome back ") . $a->user['username'] . EOL);
  159. if(strlen($a->user['timezone'])) {
  160. date_default_timezone_set($a->user['timezone']);
  161. $a->timezone = $a->user['timezone'];
  162. }
  163. $r = q("SELECT `uid`,`username` FROM `user` WHERE `password` = '%s' AND `email` = '%s'",
  164. dbesc($a->user['password']),
  165. dbesc($a->user['email'])
  166. );
  167. if(count($r))
  168. $a->identities = $r;
  169. $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1",
  170. intval($_SESSION['uid']));
  171. if(count($r)) {
  172. $a->contact = $r[0];
  173. $a->cid = $r[0]['id'];
  174. $_SESSION['cid'] = $a->cid;
  175. }
  176. q("UPDATE `user` SET `login_date` = '%s' WHERE `uid` = %d LIMIT 1",
  177. dbesc(datetime_convert()),
  178. intval($_SESSION['uid'])
  179. );
  180. call_hooks('logged_in', $a->user);
  181. header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] .'"');
  182. if(($a->module !== 'home') && isset($_SESSION['return_url']))
  183. goaway($a->get_baseurl() . '/' . $_SESSION['return_url']);
  184. }
  185. }
  186. // Returns an array of group id's this contact is a member of.
  187. // This array will only contain group id's related to the uid of this
  188. // DFRN contact. They are *not* neccessarily unique across the entire site.
  189. if(! function_exists('init_groups_visitor')) {
  190. function init_groups_visitor($contact_id) {
  191. $groups = array();
  192. $r = q("SELECT `gid` FROM `group_member`
  193. WHERE `contact-id` = %d ",
  194. intval($contact_id)
  195. );
  196. if(count($r)) {
  197. foreach($r as $rr)
  198. $groups[] = $rr['gid'];
  199. }
  200. return $groups;
  201. }}